May 15, 2019

In the early days of the Internet, there was a period when Internet Protocol version 4 (IPv4) addresses (e.g. 4.4.4.4) were given out like cotton candy to anyone who asked. But these days companies are queuing up to obtain new IP space from the various regional registries that periodically dole out the prized digits. With the value of a single IP hovering between $15-$25, those registries are now fighting a wave of shady brokers who specialize in securing new IP address blocks under false pretenses and then reselling to spammers. Here’s the story of one broker who fought back in the courts, and lost spectacularly.

On May 14, South Carolina U.S. Attorney Sherri Lydon filed criminal wire fraud charges against Amir Golestan, alleging he and his Charleston, S.C. based company Micfo LLC orchestrated an elaborate network of phony companies and aliases to secure more than 735,000 IPs from the American Registry for Internet Numbers (ARIN), a nonprofit which oversees IP addresses assigned to entities in the U.S., Canada, and parts of the Caribbean.

Interestingly, Micfo itself set this process in motion late last year when it sued ARIN. In December 2018, Micfo’s attorneys asked a federal court in Virginia to issue a temporary restraining order against ARIN, which had already told the company about its discovery of the phony front companies and was threatening to revoke some 735,000 IP addresses. That is, unless Micfo agreed to provide more information about its operations and customers.

At the time, many of the IP address blocks assigned to Micfo had been freshly resold to spammers. Micfo ultimately declined to provide ARIN the requested information, and as a result the court denied Micfo’s request (the transcript of that hearing is instructive and amusing).

But by virtue of the contract Micfo signed with ARIN, any further dispute had to be settled via arbitration. On May 13, that arbitration panel ordered Micfo to pay $350,000 for ARIN’s legal fees and to cough up any of those 735,000 IPs the company hadn’t already sold.

According to the criminal indictment in South Carolina, in 2017 and 2018 Golestan sold IP addresses using a third party broker:

“Golestan sold 65,536 IPv4 addresses for $13 each, for a total of $851,896,” the indictment alleges. “Golestan also organized a second transaction for another 65,536 IP addresses, for another approximately $1 million. During this same time period, Golestan had a contract to sell 327,680 IP addresses at $19 per address, for a total of $6.22 million” [this last transaction would be blocked.]

The various front companies alleged to have been run by Micfo and Amir Golestan.

Mr. Golestan could not be immediately reached for comment. Golestan’s attorney in Micfo’s lawsuit against ARIN declined to comment on either the criminal charges or the arbitration outcome. Calls to nearly a dozen of the front companies named in the dispute mostly just rang and rang with no answer, or went to voicemail boxes that were full.

Stephen Ryan is a Washington, D.C.-based attorney who represented ARIN in the dispute filed by Micfo. Ryan said this was the first time ARIN’s decision to revoke IP address space resulted in a court battle — let alone arbitration.

“We have revoked addresses for fraud before, but that hasn’t previously resulted in litigation,” Ryan said. “The interesting thing here is that they litigated this for five months.”

According to a press release by ARIN, “Micfo obtained and utilized 11 shelf companies across the United States, and intentionally created false aliases purporting to be officers of those companies, to induce ARIN into issuing the fraudulently sought IPv4 resources and approving related transfers and reassignments of these addresses. The defrauding party was monetizing the assets obtained in the transfer market, and obtained resources under ARIN’s waiting list process.”

“This was an elaborate operation,” said Ryan, a former federal prosecutor. “All eleven of these front companies for Micfo are still up on the Web, where you see all these wonderful people who allegedly work there. And meanwhile we were receiving notarized affidavits in the names of people that were false. It made it much more interesting to do this case because it created 11 states where they’d violated the law.”

The criminal complaint against Golestan and Micfo (PDF) includes 20 counts of wire fraud associated with the phony companies allegedly set up by Micfo.

John Levine, author of The Internet for Dummies and a member of the security and stability advisory committee at ICANN, said ARIN does not exactly have a strong reputation for going after the myriad IP address scammers allegedly operating in a similar fashion as Micfo.

“It is definitely the case that for a long time ARIN has not been very aggressive about checking the validity of IP address applications and transfers, and now it seems they are somewhat better than they used to be,” Levine said. “A lot of people have been frustrated that ARIN doesn’t act more like a regulator in this space. Given how increasingly valuable IPv4 space is, ARIN has to be more vigilant because the incentive for crooks to do this kind of thing is very high.”

Asked if ARIN would have the stomach and budget to continue the fight if other IP address scammers fight back in a similar way, Ryan said ARIN would not back down from the challenge.

“If we find a scheme or artifice to defraud and it’s a substantial number of addresses and its egregious fraud, then yes, we have a reserve set aside for litigation and we can and will use it for cases like this,” Ryan said, adding that he’d welcome anyone with evidence of similar schemes to come forward. “But a better strategy is not to issue it and never have to go back and revoke it, and we’re good at that now.”


35 thoughts on “A Tough Week for IP Address Scammers

  1. sirk

    Brian, I think “shelf companies” may be a typo.

    1. BrianKrebs Post author

      No, perhaps I should hyperlink it. Shelf companies refers to a large network of shell companies that have been set up for the expressed purpose of having someone at a later date buy the company in order to have a company that has no previous record and nevertheless appear to be one on the record for years. The sole purpose of a shelf company is to exist and age until someone deems it valuable enough to use it for a particular purpose.

        1. Rob Shein

          Sirk,

          Think of it like this…reputation engines all over the place make decisions based around aging. New accounts without much karma cannot post in a lot of subs on Reddit, emails from new domains get a higher risk weighting in spam filters, etc. In the analog world, the same is true of corporations; a business that was created last week but which claims to have significant revenue sets off all kinds of alarm bells. Fraud and money laundering examiners have learned that these are usually shell corporations whose sole intent is to hide the real nature of the transactions they process.

          In response to this, the entities that make their living producing front companies started aging them…creating them en masse, letting them sit “on the shelf” for years, and then selling them (or use of them).

      1. William Nicholl

        So cool. Thanks for the info!

  2. Rick

    “Golestan also organized a second transaction for another 65,536 IP addresses, for another approximately $1 million”

    Just happens to be 16 bits worth of IP addresses?

    1. SeymourB

      Also known as a class B subnet.

      192.168.X.X

  3. Serg

    Did I read this correctly, that in addition to civil litigation there will be criminal charges brought upon Mr. Golestan? Chances are, Micfo will fold and won’t pay up the 350k owed per arbitration ruling.

    1. Rob Shein

      He has already been indicted for fraud…so yeah.

  4. some guy

    This is just the tip of the iceberg, you should look up the biggest IP hoarders and compare actual utilization to how many IPs are on their networks.

    I have a hunch, we’ll call it, that the names who bubble to the top of your list didn’t turn in the best of justification to obtain the blocks.

    I have a further hunch, we’ll call it, that the companies that bubble to the top of your list will all sell in the next few years (and a few have sold already.)

    1. Pete

      Unfortunately, it is colleges and universities. Many have a /16 or multiple /16’s with 10% or fewer actually in use. They were the first on the internet, when an episode of Oprah, everyone in the academic space got a /16. This includes many with under 5K students.

        1. San

          Oprah reference: She did an episode giving out cars to audience and famously saying “you get a car, and you get a car…” etc.

  5. Rob Shein

    I decided to Google the CEO, and came across this tidbit…a few months ago, the Charlottesville Young Professionals group had him as a guest speaker to kick off their 2019 year…

    (Source: The Palmetto Business Daily)
    “Micfo CEO Amir Golestan attended as guest speaker. The successful businessman from Charleston started a globally dispersed cloud platform provider that now has a customer base from all over the world. He shared life’s lessons on self-reliance along with the importance of establishing good values as a foundation for effective business leadership.”

    Ouch.

    1. ron G

      Ummm… yea. And the guy also bought a venerable old mansion in Charleston, SC for a cool $4 million.

      At some point, unless he manages to skip out of the country, I do believe that he’ll be trading that in for a long stay in the Graybar Hotel.

      Magic 8 Ball says “I see an orange jumpsuit in your future.”

  6. Aidan Gauland

    What is the actual crime here? And what does it mean for a party to obtain IP addresses under false pretenses? What are the rules for getting a block of addresses that the spammers are breaking?

    Also, is this sort of thing going to just get worse until most of the world transitions to IPv6?

    1. Some Other Guys

      RTFA – the criminal issue is wire fraud and it is federal because he did it across state lines.

    2. V

      He was fraudulently acquiring what should have been free assets and selling them to foreign entities for profit. Not only that, they were being transferred to other networks and are no longer accessible to organizations supported by ARIN. There’s basically no way to get them back once they’ve been accepted by RIPE, APNIC, etc.

      1. Aidan Gauland

        Oh, I think I get it now. The IP addresses were only supposed to go to entities operating in that region, and only so many per entity, so the fraud is in pretending to be many unrelated companies operating in that region.

        Thanks for explaining. I am mostly confused by the administration of the Internet at this level.

    3. Anon404

      Almost anything done under false pretenses is a form of fraud.

  7. Dave

    As I read this, it also reminded me of DNS hoarding. That may not be illegal, as far as I know, but it is somewhat unethical; kind of along the lines of price gouging. I am a strong advocate for holding registrars and especially web hosting companies more responsible for the oversight of the services they offer to fraudelent clients.

  8. A Nonni Mousse

    Never ceases to amaze me when another KrebsonSecurity story shines another light on yet another example of how poorly managed global digital industries are, and how unethical so many “leaders” are.

    NordVPN does a large amount of business with Micfo LLC’s ISP.

    Given the lack of ethics involved in too many of the Internet’s industries, I’m hoping no one at a VPN sold decryption keys to other shady interests for millions of dollars/roubles/renminbi.

  9. Anonymous person

    The idiot technocrats at ICANN (and ARIN and the rest of the RIRs) designed and implemented this problem from the ground up, and the effects of the “IP Address Scammers” are just a rounding error.

    Publicly-routable IPv4 addresses (shortend to IPv4 addresses here for the sake of brevity; I’m not including RFC1819 addresses, multicast, etc.) are a valuable economic resource. This is not a political dogma argument; it is a technical economic fact. IPv4 addresses are “rivalrous” – meaning that while their owners can multiplex their utilization among their internal purposes or those of their customers – an IP4v address cannot be owned by more than one entity. ISP A in the United States can’t use the same IPv4 This is contrast to resources like software that can be reproduced and used by multiple entities. IPv4 addresses are scarce – there is a fixed number of them (although some are wasted by inefficient and outdated standards). IPv4 addresses have value – meaning people are willing to pay for them.

    So given the stewardship over the allocation of a scarce, rivalrous, and valuable economic resource, the ivory-tower imbeciles at ICANN and the RIRs decide they should be given away for free. You can have whatever economic or political ideology you want, but the real-world consequences of this will be:

    1) Wasteful utilization – Optimal utilization of a resource, in this case how much multiplexing vs. dedicated / single-task use makes sense and if standards can be altered to improve utilization efficiency, can only be discussed in terms of price. When prices are artificially low, the perception of what is optimal is also artificially low. Any network engineer who does meaningful work on the Internet can easily see the effects of this. A good example is the fact that the overwhelming majority of point-to-point Internet links still use /30 subnets, which waste half of the addresses involved for subnet and broadcast – neither of which have any use whatsoever in a subnet with exactly two and only two endpoints. Most routing equipment will let you get away with using a /31 here. Is there any point whatsoever for maintaining a dedicated subnet address on any network anymore? And if you think about it, how often are subnet broadcasts used in publicly-routable space? Don’t get me stated on end-users who use unique IPs with no inbound port utilization overlap whose inbound connections are mediated by the same firewall. Pure waste. If you look at how many hosting companies could throw more web sites behind single IPs using HTTP server identity multiplexing, there’s another Mt. Everest-size pile of waste.

    2) Hoarding – Because prices are artificially low and have resulted in artificial scarcity, any organizations with ongoing IPv4 needs that isn’t run by idiots is *forced* to hoard addresses for future use. This is because the combination of scarcity and waste makes future availability and price uncertain (outside of black markets).

    3) Black Markets – When there is a significant difference between the selling price and the actual value of any scarce, rivalrous resource, black markets emerge to arbitrage the difference (they’re always black markets because the only way such differences exist in these cases is ill-considered regulation; therefore anyone working around them is doing so illegally). Ironically, for all of the pearl clutching I see in this discussion, the black markets actually help to determine the real value of an IPv4 address and that sends some signals to help reduce wasteful utilization. Weak signals, but something is better than nothing in that area.

    These three outcomes are as predictable as gravity. You can have whatever belief system you want, but reality says they’re going to happen. There are no exceptions. Argue until you’re blue in the face. It makes no difference. It’s because all three of these outcomes are based on behavior that is extremely rational at the individual level, and that is how the overwhelming majority of decisions made by humans are made. The art of good regulation is to understand human decision-making in the real world and work with it, not against it. The more this is ignored, the bigger the mess you wind up with – and IPv4 allocation is an absolutely spectacular mess. Unfortunately, the people who wind up wanting to regulate things tend to be the ones with deeply Quixotic and Utoptian urges to mold human behavior to their whims, and this tends to occur when their whims are deeply out of line with the zeitgeist there.

    I’ve said for years that the notion that we’re running out of IPv4 addresses is just absurd. We’ve probably got enough for another hundred years, even taking into account IoT and whatnot. We were going to and did run out of free IP addresses, because… umm… they were free. Duh. The truth is that they have a real price, and the reality-avoidance crews running ICANN and the RIRs refused to find out what it is. The more openly companies can buy and sell IPv4 blocks, the more accurate the expectations for pricing and trade availability will be, and that will control wastefulness (as costs go up, owners will be forced to better economize) and make hoarding more expensive relative to buying on the spot market.

    1. vb

      Thank you for taking the time to explain this issue.

    2. Another anonymous person

      It’s easy to criticize in hindsight. I’d be shocked if you would have done any better than the people who set up ICANN and ARIN in the late 90’s. Your point might be better made if it wasn’t obscured by your name-calling. This smacks of ranting from Mommy and Daddy’s basement.

      The fact that there is even a problem with IPv4 addresses points to the fact that NOBODY had any idea that the internet would be what it is today. The original RFC for IPv4 was written in 1981 (were you even born then?) when computers to computer communications were generally over phone lines and 1200 baud was considered fast. The fact that IPv4 is still in use points to the fact that distributed technology is hard to upgrade, expensive to upgrade, and lots of those who would benefit don’t understand why they should spend the money.

  10. DavidD

    Is this contention for IP v4 addresses ever going to end? I seem to recall a migration to IP V6 that should be happening now. There are more IP addresses in that 128 bit address space than there are grains of sand and droplets of water on earth.

    1. Tom Samplonius

      Even this website is not accessible over IPv6.

      If you manage hosting for a website, please enable IPv6.

  11. DarrellR

    A bit of history for context:

    IPv4 was designed in the late 1970’s and early 1980’s. It went live on 1/1/1983 (a “flag day” migration) with 4.2 billion possible addresses. At the time that was thought to be more than enough for a research network. Commercial activity on the Internet was not common until ~1995.

    IPv6 was designed in the late 1990’s. The Internet has been gradually deploying IPv6 in parallel with IPv4 for the past 20 years. Many end hosts now have both IPv4 and IPv6 connectivity, but many websites (and other Internet services, including many online games) remain IPv4 only. In some cases, websites have both an IPv4 and IPv6 front-end, but use IPv4-only in their backend.

    2/1/2030 has been declared an “IPv4 Flag day”. The plan is for major open source vendors to remove legacy IPv4 support from their operating systems after that date. As with most things on the Internet, compliance with the flag day is voluntary.

  12. Readership1

    A lot of thoughtful comments. Nice.

  13. thimslugga

    I dealt with this guy Amir / Micfo at my previous job. He had us announce some IP ranges and somebody ended up reaching out shortly after claiming we were announcing their IP range. The Amir guy had provided falsified docs and made all kinds of excuses such as third party was sour over a deal gone bad and he had permission to use the IP addresses. We revoked the announcement immediately and he tried to have us announce new ranges but we pushed back when the new docs were missing key info. The guy was a huge PITA to deal with and our NOC had a feeling he was up to something shady. He tried to come back a couple years later and we told him to kick rocks.

  14. Serguei Kireev

    this all is soooo unsettling.. how about when those IPs are finally taken back by ARIN and then again, already tainted by spammers, dished out to the populace? this will have long reverberations across the net..

Comments are closed.